What Does Residual Risk Mean?
Residual risk is defined as the threat that remains after every effort has been made to identify and eliminate risks in a given situation. In other words, it is the degree of exposure to a potential hazard even after that hazard has been identified and the agreed upon mitigation has been implemented.
The residual risk is calculated in the same way as the initial risk, by determining the likelihood and consequence, and then combining them in a risk matrix.
Safeopedia Explains Residual Risk
Controls and procedures can be altered until the level of residual risk is at an acceptable level, or as low as reasonably practicable (ALARP), and complies with relevant legal and other requirements.
There are four basic ways of approaching residual risk: reduce it, avoid it, accept it, or transfer it. Since residual risk is often unknown, many organizations choose either to accept or transfer it—for example, outsourcing services with residual risk to a third party organization.